SentinelOne Global Service Outage Root Cause Revealed
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Cybersecurity company SentinelOne has released a comprehensive root cause analysis revealing that a software flaw in an infrastructure control system caused the global service disruption that affected customers worldwide on May 29, 2025.<\/p>\n
The outage, which lasted approximately 20 hours, was fully restored by May 30 at 10:00 UTC, preventing customers from accessing the SentinelOne management console and related services.<\/p>\n
However, their endpoint protection remained operational throughout the incident. The company has confirmed this was not a security-related event, and no customer data was lost.<\/p>\n
According to the official analysis, the disruption occurred when critical network routes and DNS resolver rules were automatically deleted due to a software flaw in a soon-to-be-deprecated control system.<\/p>\n
The incident began at 13:37 UTC on May 29 when the faulty system was triggered by the creation of a new account during SentinelOne\u2019s ongoing transition to a new Infrastructure-as-Code (IaC) architecture.<\/p>\n
\u201cA software flaw in the control system\u2019s configuration comparison function misidentified discrepancies and applied what it believed to be the appropriate configuration state, overwriting previously established network settings,\u201d the company explained<\/a>. The deprecated system restored an empty route table, causing widespread loss of network connectivity across all regions.<\/p>\n The outage significantly impacted security teams\u2019 ability to manage their operations, though endpoint protection continued uninterrupted.<\/p>\n Customer reports began<\/a> flowing to SentinelOne Support at 13:55 UTC, just 18 minutes after the initial system failure. Engineering teams identified missing routes on Transit Gateways by 14:27 UTC and immediately began restoration efforts.<\/p>\n SentinelOne\u2019s communication strategy encompassed multiple channels, including announcements on their Customer Portal, email notifications to all customers and partners, social media updates on platforms such as Reddit, and blog posts to keep stakeholders informed throughout the recovery process.<\/p>\n Console access was restored by 20:05 UTC, with full service restoration achieved approximately 14 hours later.<\/p>\n The company has implemented several corrective measures following the incident. SentinelOne is auditing EventBridge and other automatically triggered functions to prevent the deprecated control code from being activated during their architectural transition.<\/p>\n The company is also accelerating its migration to the new IaC infrastructure to eliminate the risks associated with running split architectures.<\/p>\n Additionally, SentinelOne has backed up all Transit Gateway configurations and is improving recovery automation to prevent manual restoration delays in future incidents.<\/p>\n The company is also developing an independently operated public status page and has updated high-severity incident playbooks to ensure better customer communication.<\/p>\n Notably, Federal customers using GovCloud environments were completely unaffected by this incident, though they were notified for transparency purposes. This highlights the segregated nature of SentinelOne\u2019s infrastructure designs for different customer segments.<\/p>\n The incident underscores the complexities technology companies face when modernizing critical infrastructure while maintaining service continuity and demonstrates the importance of robust incident response procedures in cybersecurity operations.<\/p>\n Celebrate 9 years of ANY.RUN!\u00a0Unlock the full power of<\/strong>\u00a0TI Lookup plan (100\/300\/600\/1,000+ search requests),\u00a0and\u00a0your request quota will double<\/a>.<\/strong><\/p>\n The post SentinelOne Global Service Outage Root Cause Revealed<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n